If you like this project, consider purchasing licenses of OctoPwn, our full pentesting suite that runs in your browser!
For notifications on new builds/releases and other info, hop on to our Discord
Fully asynchronous SMB library written in pure python. Python 3.8+ ONLY
This project, alongside with many other pentester tools runs in the browser with the power of OctoPwn!
Check out the community version at OctoPwn - Live
Too many to list here, please check the examples.
Kirbi | CCACHE | AES/RC4/DES keys | NT hash | Password | Certificate | Certificate (PFX/PEM) | Certstore (Windows) | |
---|---|---|---|---|---|---|---|---|
Supported | Y | Y | Y | Y | Y | Y | Y | Y |
LM hash | NT hash | Password | |
---|---|---|---|
Supported | N | Y | Y |
Only on Windows.
This auth method uses the current user context. If you are NT/SYSTEM then it will use the machine account credentials.
NTLM | Kerberos | |
---|---|---|
Supported | Y | Y |
Certificate (PFX) | Certstore (Windows) | |
---|---|---|
Supported | Y | Y (using current user) |
This library also supports QUIC connection to Azure hosts
Protocol | Supproted |
---|---|
UDP | N |
TCP | Y |
QUIC | Y |
Supports Socks4 and Socks5 natively. Socks5 currently not supporting authentication.
Bear in mind, that proxy support doesnt always play well with all auth methods, see this table below.
SOCKS4 | SOCKS4A | SOCKS5 | |
---|---|---|---|
NTLM | Y | Y | Y |
Kerberos | N (incompatible) | Y | Y |
SSPI | Y (only local users) | Y (only local users) | Y (only local users) |
NEGOEX | Y | Y | Y |
I managed to condense all information needed to specify an SMB connection into an URL format.
It looks like this:
dialect-network+authmethod://user:secret@target:port/?param1=value1¶m2=value2
dialect
fomat: smbX/smbXXX
Where version
: 2
for any SBM2
3
for any SMB3
dialects, or specific 3 character code like 200
or 201
or 300
...
network
format: tcp
or quic
(leave empty for TCP)
authmethod
format: auth-type
Where auth
: ntlm
or kerberos
or sspi
or negext
Where type
: password
or nt
or aes
or rc4
or kirbi
...
user
format: DOMAIN\username
Where DOMAIN
: your domain
Where username
: your username
secret
format: Depends on the authmethod
's type
value
target
format: IP address or hostname of the target
port
format: integer describing the port
The following parameters are used (the user victim is trying to log in to the domain controller):
Username: victim
Domain: TEST
Passowrd: Passw0rd!1
DC IP address: 10.10.10.2
DC hostname: win2019ad
Socks4 proxy serer: 127.0.0.1
Socks4 proxy port : 9050
smb+ntlm-password://TEST\victim:[email protected]
smb+ntlm-nt://TEST\victim:[email protected]
smb+sspi-ntlm://10.10.10.2
smb+kerberos-password://TEST\victim:[email protected]/?dc=10.10.10.2
smb+kerberos-nt://TEST\victim:[email protected]/?dc=10.10.10.2
smb2+kerberos-pfx://user.pfx:[email protected]/?dc=10.10.10.2
smb2+kerberos-pem://cert.pem:[email protected]/?dc=10.10.10.2
smb2+kerberos-pem://cert.pem:[email protected]/?dc=10.10.10.2
smb+sspi-kerberos://win2019ad.test.corp
smb+ntlm-password://TEST\victim:[email protected]/?proxyhost=127.0.0.1&proxyport=9050
smb+ntlm-password://TEST\victim:[email protected]/?timeout=60
smb+negoex-pfx://certificate.pfx:[email protected]/
Example 12 - Negoex certstore auth using certificate from the current user's certstore (Windows only). (eg. Azure P2P auth)
smb+negoex-certstore://<subject CN of the certificate to use>@10.10.10.2/
- DCERPC: in progress, lot of features working already
- VSS mountpoint operations
- a lot of other things
This project is heavily based on the Impacket orignally by @agsolino.
The DCERPC strucutre definitions and DCERPC parsing in this project is almost identical to the Impacket project.
NEGOEX protocol implementation was based on AzureADJoinedMachinePTC created by @rubin_mor
Certificate request functionality was based on certi created by @zer1t0